Permanent VPN connection

I'm connecting a branch office with 4 users to our head office network, in the past when its only been one user at our branch office we have done this via a VPN connection.

I was wondering if someone could recommend a router, if there is one available, which would make a permanent VPN connection to our head office network and then share the vpn connection to the branch users from the router. This would save all our branch users having to create individual vpn connections dirct from their PCs and our current router seems unable to support more than one VPN pass through connection at a time.

I would also like to know if a router is available which not only allows the permanent VPN connection to be made but also allow our branch users to connect direct to the internet and not have all the internet traffic go down the VPN and out through our head office. We only have one adsl connection to the internet in branch and I don't want to spend the money on a second connection.

What you're asking is quite typical, and not very difficult at all. You're looking for an IPSEC VPN, as opposed to an SSL VPN which it seems your branch office is using now. IPSEC VPN will allow for a more permanent connection that can be shared amongst many computers. First, I'd like to know what routers you are using now. Most "VPN" routers have an easy to setup vpn configuration that will do what you are asking. I use Netgear UTM products, but I think we're probably much larger than you sound. Basically, what you'll need is a static IP address at both ends. DDNS will work but it complicates matters and isn't as reliable as a dedicated, public IP address. Then you'll need VPN routers at each location. I'd recommend using similar models at each and, certainly the same brand, as this will simplify setting up the connection. After you've got these basic requirements met, it's just a matter of setting up the VPN between
the locations.

However, depending on the size and nature of your business you might want to consider one of the more 'enterprise' class routers out there. It could be harder to configure and maintain from a technical perspective you'll get much finer grained security and better encryption a.k.a. security (depending on who's option you choose).

I am VERY skeptical of the idea that somehow a company that markets 'enterprise class' devices is going to offer better encryption and security. I'd have to see the study on that one. From the tests I have seen, a pfSense box can match enterprise class devices on every front except price.

What does something like a Cisco have to offer that pfSense does not? Higher initial costs. High TCO? Limited concurrent users?

I respect your opinion so if you have information I don't, I'd love to hear it.

William, I totally agree. We ditched almost all of our Cisco equipment in favor of Netgear UTM router/firewalls. They are very affordable and FANTASTIC when it comes to security, ease of use, flexibility and support.

While psSense is VERY cool and very cost effective, and a great solution, it isn't a "turnkey" solution and tech support is somewhat limited. I'm not saying it isn't an excellent and viable option, but for someone with limited linux and WAN experience, it might be a bit daunting.

James, in the end it really boils down to budget and capability. Explore your options, do your research, (ask us questions) and make an educated decision as to what is correct for your situation. Also, feel free to contact me directly if you have questions.

On the one hand you've got the 'SoHo VPN' flavors from just about every consumer networking vendor. They work but have a limited configuration set and you can't monitor them well because they don't have the correct software set to support even snmp. I can't say I like those.

There's solutions like pfSense - which don't have the limitations of the SoHo variety and are every bit as capable as the enterprise solutions. See, I said that, in public. The only thing that's missing from that solution is an organized support and warranty structure. I'm not saying you can't get it (I see your previous post) but when you are trying to certify to one of the high-security standards (HIPPA or PCI) or your IT department is run by a major corporation, having a partner, vendor relationship and upgrade- / training-path is important.

The solutions from WatchGuard, SonicWall, Juniper and Cisco, I agree, are not always affordable but at the same time offer 24 x 7 x 4 hour on-site support, training, certification paths, updates, and entire networks of support. Not to mention integration with IPS / IDS solutions, UCS systems, video integration, monitoring suites, etc, etc. If you have the money and the need, all of that technology is very "tied-in", meaning you don't have to build your own solutions from multiple vendors.

So, in order not to stray off the original topic too far (I might have to do a blog post on just this subject) I'll extend this one final thought:
In the OP's case a light solution (Netgear, Linksys, or even Wathcguard SoHo series) will probably offer the best price point / protection without the expense of learning how to configure a pfSense setup from scratch. On the other hand, pfSense would be my recomendation if there is time available to do some familiarization training.

With Rockbochs and similar companies, you get a pre-configured firewall UTM device. No BSD training or knowledge is required.

I understand your concerns but don't think that the FOSS community doesn't have you covered when it comes to organized support, warranty, and security standards.
Going back to pfSense as an example (though it is certainly not the only one) let's address those concerns.

Organized support: pfSense is a BSD firewall. There are no shortages of BSD support channels available. Also, when looking at preconfigured pfSense appliances like the Rockbochs offerings, you will find that not only is there support, but also training channels, support contracts, deployment services, and integration, auditing, and hardening services.

High-security standards (HIPPA or PCI): I've employed open source firewalls, UTM devices, mail gateways, etc in large scale hospital settings. We have never had an issue with HIPPA or JCAHO audits. Also, when having third party external pen testing and audits, we see a marked improvement over existing implementations from companies like Cisco and Watchdog. Most often the cause is misconfiguration of the commercial devices. To me, this indicates that even though these companies are supposed to have better documentation and support, those benefits do not play out in reality at the point of deployment.

Multi Vendor mess: For companies that prefer a single vendor and support channel, there are dozens of firms who specialize in full system solutions including networking, authentication, LDAP, firewall, IDS/IPS, application layer firewalling, etc. you can build an entire network from the ground up using pre-built and integrated open source solutions.

There is a very good reason we are seeing entire countries moving to OSS/FOSS. The total TCO wins. After looking at long term support, licensing costs, training, certification, hardware costs, etc etc. OSS/FOSS wins.

With any solution, FOSS / OSS or commercial, configuration has to be complete and correct to the environment. This extends from the manufacturer of the hardware right on up to the last person writing an ACL, route or NAT statement. If it's not scaled and programed correctly either path is a waste of money.

In the end I think it comes down to what the organization is comfortable with from a technical perspective. There is no "security in a box" regardless of the logo that may be on that box.

Of course, this is also true of switches, routers, workstations, operating systems, etc. If the individuals responsible for maintaining or operating the equipment are not comfortable / competent doing so, those devices will fail to perform as intended.

PfSense will definitely establish a more permanent and versatile connection for your business solution. I would recommend IPSEC VPN, which is the most commonly used solution for point to point connectivity over pfSense's other solutions, as well as other open source firewalls and most all commercial firewall solution's. It also allows you to provide a mobile connection for users if you come across the need at a later date as long as they are not supported by NAT. The only draw back to pfSense is that you will need to either have gone through some familiarization training to learn how to configure it, or ensure you purchase a turn key router/firewall that is already set up and ready for use.

Another option is VPN Dialer 2012 (you can google for it), which leverages the built-in VPN client in Windows desktop operating systems, runs as a service, and keeps a designated VPN connection connected permanently, for as long as there is power and Internet access. It will do this at boot time so you don't have to log in. You can configure multiple VPN servers on the remote network, so there is redundancy in case one of the VPN servers needs to be taken down for work. It has an easy-to-use configuration wizard. Check it out.